debsecan
Debian security vulnerability scanner
TLDR
List vulnerable installed packages
$ debsecan
List vulnerabilities for specific suite$ debsecan --suite [release_code_name]
List only fixed vulnerabilities$ debsecan --suite [release_code_name] --only-fixed
List fixed vulnerabilities and mail report$ debsecan --suite [sid] --only-fixed --format report --mailto [root] --update-history
Upgrade vulnerable packages$ sudo apt upgrade $(debsecan --only-fixed --format packages)
SYNOPSIS
debsecan [options]
DESCRIPTION
debsecan (Debian Security Analyzer) lists known vulnerabilities in installed packages. It checks against Debian's security tracker database and reports CVEs affecting the system.
Useful for security auditing and identifying packages that need updates.
PARAMETERS
--suite suite
Debian release (stretch, buster, bullseye, sid)--only-fixed
Only show vulnerabilities with available fixes--format format
Output format (summary, detail, report, packages)--mailto address
Email report to address--update-history
Track vulnerability history
CAVEATS
Requires network access to fetch vulnerability data. Suite must match the installed system. Not all listed vulnerabilities may be exploitable in your specific configuration.
SEE ALSO
apt(8), unattended-upgrades(8)